New AV2010 hides behind TDSS

vdub12

vdub12

New Member
Reaction score
2
Just a heads up to help anyone save some time. Yesterday I got an AV2010 infection in and thought it would be a simple fix like most of them are.

Well the new AV2010 has changed. It now hides behind TDSS and is not as easy to remove as it was in the past. the executables hide in the sys32 and sys32/drivers directory's now rather then app data. I had a hell of a time finding it all and suspected a rootkit but did not think the av line had gotten that advanced.

After finally getting rid of the rogue I was still getting browser redirects and winupdate would not work. It all made since when I found TDSS. the new rogue will not install in a VM so I am loading a fresh copy of Windows XP on an old drive in my test system. I am going to do a test infection to make sure but it looks like the rogue are going to start using rootkits.

Hope we can keep up,
anyway hope this info helps everyone.
 
vdub12 said:
Just a heads up to help anyone save some time. Yesterday I got an AV2010 infection in and thought it would be a simple fix like most of them are.

Well the new AV2010 has changed. It now hides behind TDSS and is not as easy to remove as it was in the past. the executables hide in the sys32 and sys32/drivers directory's now rather then app data. I had a hell of a time finding it all and suspected a rootkit but did not think the av line had gotten that advanced.

After finally getting rid of the rogue I was still getting browser redirects and winupdate would not work. It all made since when I found TDSS. the new rogue will not install in a VM so I am loading a fresh copy of Windows XP on an old drive in my test system. I am going to do a test infection to make sure but it looks like the rogue are going to start using rootkits.

Hope we can keep up,
anyway hope this info helps everyone.
Click to expand...

Interesting it wont run in a VM, that generally whast I play with to remove virus's. They are getting too advanced ! They need to get out more instead of sitting in a dark room wreaking havoc, even if it does pay me:):):):)
 
Oh gosh. Got a client call the other day for this very infection. Told them it would be an hour. Little did I know that the virus was hiding behind TDSS Rootkit. Took 3 hours to completely remove. It hijacks the internet protocols too and resetting them via WinsockReset doesn't work either.

To completely remove this, I used ComboFix.... worked AMAZINGLY WELL! :) Best tool ever. I run it whenever the client has google links redirecting somewhere else... and it always works!

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


-Mike
 
I have seen these before as well, especially with the browser redirects caused by TDSS rootkits which is getting much more common. +1 for combofix, also TDSSKiller by kaspersky seems to do a good job at finding infected drivers and only takes a minute to run.
 
Laimbo said:
I have seen these before as well, especially with the browser redirects caused by TDSS rootkits which is getting much more common. +1 for combofix, also TDSSKiller by kaspersky seems to do a good job at finding infected drivers and only takes a minute to run.
Click to expand...

Note that TDSS Killer is able to find infections in the Master Boot Record (MBR) which other antiviruses and even MBAM won't. What this means is if you clean the computer and reboot without cleaning the MBR, then your customer will be reinfected. We've seen in our labs a few machines unsuccessfully cleaned by Staples and Office Max amature techs because they don't know this.

Combofix is useless for 64-bit computers until its creators realize there are now 64-bit rootkits out in the wild and that the 64-bit operating system digital signatures for driver signing has been compromised.

Also remember that if you're truly cleaning malware, it's more than relying on your tools to automagically fix everything, manual tools (autoruns, process explorer, ubuntu) are what separates the boys from the men.

Welcome to a new era.
 
Last edited:
xacked said:
Note that TDSS Killer is able to find infections in the Master Boot Record (MBR) which other antiviruses and even MBAM won't.
Click to expand...

Does TDSS Killer find all varieties of rootkits, for instance is it a replacement for other anti rootkit software? It is the first dedicated rootkit software I have found which removes rootkits automatically. Do you know any way to manually detect/remove MBR viruses or hidden/infected system drivers. I have been seeing significantly more of these lately and don't have any real method of detection other than TDSS Killer or standard scanning programs which may or may not find them.

Regards,
Liam.
 
Laimbo said:
Does TDSS Killer find all varieties of rootkits, for instance is it a replacement for other anti rootkit software? It is the first dedicated rootkit software I have found which removes rootkits automatically. Do you know any way to manually detect/remove MBR viruses or hidden/infected system drivers. I have been seeing significantly more of these lately and don't have any real method of detection other than TDSS Killer or standard scanning programs which may or may not find them.

Regards,
Liam.
Click to expand...

I would say TDSS Killer is the only tool that my lab has used so far that can effectively remove rootkits in the 64-bit environment without going offline to clean it, however it seems to break the OS 1/8 times it is used. TDSS Killer seems to work by running a hash check of all the drivers in %systemroot%/Windows/System32/Drivers. There's also Bootkit Remover which will detect the presence of an MBR virus.

Read my guide How to Remove an MBR Virus for a comprehensive explanation.

Combofix will remove MBR infections however it ONLY works with 32-bit operating systems, but it'll work quite effectively in those cases.
 
Last edited:
MikeLierman said:
Oh gosh. Got a client call the other day for this very infection. Told them it would be an hour. Little did I know that the virus was hiding behind TDSS Rootkit. Took 3 hours to completely remove. It hijacks the internet protocols too and resetting them via WinsockReset doesn't work either.

To completely remove this, I used ComboFix.... worked AMAZINGLY WELL! :) Best tool ever. I run it whenever the client has google links redirecting somewhere else... and it always works!

http://download.bleepingcomputer.com/sUBs/ComboFix.exe


-Mike
Click to expand...

ComboFix is a great tool. However, I think its gets flagged by some av programs. I went to use it the other day and it was gone off my thumb drive. Its the strangest thing. All I could figure is some customers AV program must have gotten it.

Laimbo said:
I have seen these before as well, especially with the browser redirects caused by TDSS rootkits which is getting much more common. +1 for combofix, also TDSSKiller by kaspersky seems to do a good job at finding infected drivers and only takes a minute to run.
Click to expand...

TDSSKiller is great, This is what I used to fix the OP.
 
vdub12 said:
ComboFix is a great tool. However, I think its gets flagged by some av programs. I went to use it the other day and it was gone off my thumb drive. Its the strangest thing. All I could figure is some customers AV program must have gotten it.
Click to expand...

I know McAfee will delete it right off my flash drive. I renamed it and haven't had any more trouble.
 
gamesta400 said:
I know McAfee will delete it right off my flash drive. I renamed it and haven't had any more trouble.
Click to expand...

Thats funny. AV programs delete it because they feel threatened. I'm surprised they don't delete my install file for MSE to.
 
vdub12 said:
Thats funny. AV programs delete it because they feel threatened. I'm surprised they don't delete my install file for MSE to.
Click to expand...

Speaking of MSE, there's a variant of thinkpoint (hotfix.exe) that actually present virus infection notifications that look exactly like MSE's alerts, complete with functional buttons and animations, I ran this through our test bench machine without MSE installed and that notification popped up. Quite amusing.:D
 
xacked said:
Speaking of MSE, there's a variant of thinkpoint (hotfix.exe) that actually present virus infection notifications that look exactly like MSE's alerts, complete with functional buttons and animations, I ran this through our test bench machine without MSE installed and that notification popped up. Quite amusing.:D
Click to expand...

I have heard of that one but have not had a chance to play with it.

I would love to if you still have it.
 
vdub12 said:
I have heard of that one but have not had a chance to play with it.

I would love to if you still have it.
Click to expand...

I believe I have a sample back at the office, shoot me an email (spider pig at ucsd.edu) without the spaces and at = @
 
xacked said:
I believe I have a sample back at the office, shoot me an email (spider pig at ucsd.edu) without the spaces and at = @
Click to expand...

Just sent you an email. Make sure you password protect the zip file otherwise gmail will flag it.

Thanks.
 
You must log in or register to reply here.

Similar threads

callthatgirl
How Signatures Work with New Outlook
Replies
0
Views
375
callthatgirl
callthatgirl
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
216
callthatgirl
callthatgirl
callthatgirl
Chapter Four of my New Outlook Book Up
Replies
0
Views
85
callthatgirl
callthatgirl
callthatgirl
Chapter 5 and 6 Up for New Outlook Book
Replies
0
Views
64
callthatgirl
callthatgirl
callthatgirl
Outlook Classic to New Outlook Autocomplete
Replies
0
Views
442
callthatgirl
callthatgirl
Back
Top